NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello Unidata AWIPS users, Late last week, security researchers revealed a security vulnerability in some versions of the commonly-used Apache library log4J. The vulnerability is a Remote Code Execution (RCE) exploit that allows an attacker who can control log messages to execute arbitrary code loaded from attacker-controlled servers. Because it allows an attacker to execute arbitrary code on affected systems, the National Vulnerability Database operated by the U.S. Department of Commerce’s National Institute of Standards and Technology (which identifies the exploit as CVE-2021-44228) lists it among the most critical class of vulnerabilities. The National Weather Service’s Advanced Weather Interactive Processing System (AWIPS) uses the log4J package, and it is included in Unidata’s distribution of both EDEX and CAVE. The Unidata AWIPS team has been in contact with NOAA's Information System Security Officer regarding this vulnerability. Unidata’s AWIPS team has determined that it does not affect Unidata’s AWIPS distribution. In the best judgment of the Unidata AWIPS team this exploit does not represent a threat to installed systems. As we continue to monitor the situation, we will do our best to keep you informed about any actions you should take to secure your AWIPS systems. Please send any questions to support-awips@xxxxxxxxxxxxxxxx All the best, The AWIPS Development Team -- Tiffany Meyer AWIPS Lead Software Engineer IV UCAR - Unidata
awips2-users archives: